No longer in use in Poky (dropped in Nanbield through
multiple commits)
(From yocto-docs rev: e5d39e85a0db27bfc857fae9649f799179888eee)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time. The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.
Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.
(From OE-Core rev: 201f0e1d55ca2fa6ab948a82d94e52c6a77ca7d2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Occasionally the cve-check tool will warn that it is adding the same
package twice. Knowing what this package is might be the first step
towards understanding where this message comes from.
(From OE-Core rev: 699863be46fab91d5729fce1dc5b795761247f98)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The JSON report generated by the cve-check class is basically a huge
list of packages. This list of packages is, however, unsorted.
To make things easier for people comparing the JSON, or more
specifically for git when archiving the JSON over time in a git
repository, we can sort the list by package name.
(From OE-Core rev: f3d9dd947e678078b57b4b607e231b702c26dd4a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This issue relates to a floating point exception in stress-test, which
is an unlikely security exploit at the best of times, but the test is
not installed so isn't relevant.
(From OE-Core rev: a36d62a06be6cce1a438f8f2178eb60aad6b7267)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE relates to a bug in the minizip tool, but we don't build that.
(From OE-Core rev: 5b06913e5883c35390c87f6660a0578c73ff4ddd)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is a use-after-free which theoretically can be an exploit
vector, but this UAF only occurs when malloc() fails. As it's
unlikely that the user can orchestrate malloc() failures at just the
place to break on _this_ malloc and not others it is disputed that this
is actually a security issue.
The underlying bug has been fixed, and will be incorporated into the
next release.
(From OE-Core rev: 8c70e7cecb1beb30a5be4ea9bbc89c2f2e11853b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Mention CVE_STATUS_GROUPS in the development manual
(otherwise only present in the reference manual, but with
no reference to it)
- In the reference manual description of CVE_STATUS,
link back to the development manual, to provide context.
(From yocto-docs rev: cfef5fe41b6c819e783c88829448ae38141650a5)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a SECURITY.md file with hints for security researchers and other
parties who might report potential security vulnerabilities.
(Bitbake rev: 936fcec41efacc4ce988c81882a9ae6403702bea)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove a reference to a web resource which is clearly marked as obsolete.
Replace the unnecessarily verbose note by just links to the mentioned tools.
[YOCTO #15233]
(From yocto-docs rev: 3f979f5d2446d57d75f0c4ad2199510d533880e8)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Make it clear that patchtest only supports openembedded-core for now
- Add a short list of instructions for installing Python module
dependencies on the host
- Add a step to add meta-selftest with bitbake layers so that all tests
can run
(From yocto-docs rev: bcd58d68e72226be1930593f5f7fb37de15b7913)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As discussed before with Richard Purdie, the code supports this but the documentation does not.
Developers in general will not notice this or focus on it because they do not mess with the
layer.conf template file, but in my opinion I think more details can help.
(From yocto-docs rev: 15fc103d4ddd14698c8e75cc654ac157ca1ad740)
Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
COMPATIBLE_MACHINE is used to forbid the use of a recipe or its packages
for a specific set of machines.
In some cases, it may make more sense to have the logic inverted and
have the recipe always forbidden except for hand-picked machines. Such
could be the case for pieces of software that only support some
architectures. In that scenario, it is sometimes a bit easier on the eye
and for maintenance to use the OVERRIDES mechanism but for that, a
default should be set.
COMPATIBLE_MACHINE:aarch64 = "^(aarch64)$"
COMPATIBLE_MACHINE:mips64 = "^(mips64)$"
wouldn't do much because if COMPATIBLE_MACHINE isn't set, the recipe is
assumed compatible and therefore, if no default is provided we enter
that case.
Hence, we need to add
COMPATIBLE_MACHINE = "^$"
as default so that it only matches the empty string, which isn't
possible for MACHINEOVERRIDES.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 52196d39bc85de267daffb0074eb59786751f57d)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Various aesthetic cleanups of section 1 of that manual, including:
* replace 'HOWTO' with manual
* add more examples of sdk-related images
* font fixes
(From yocto-docs rev: 608e93e13a8316a8d40e0675d4335084efa3736a)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
PACKAGECONFIG's first and second flag value will be added to PACKAGECONFIG_CONFARGS
and then it will be added to the appropriate variable (EXTRA_OECMAKE, or ...)
So we need to only mention PACKAGECONFIG_CONFARGS and it will lead to other variables.
I added a custom example that can help understanding very well PACKAGECONFIG.
(From yocto-docs rev: 7f26b0c0a08d6be9810128369265b0c494e7191b)
Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integrating the following commit(s) to linux-yocto/6.5:
14f83e409308 serial: core: test for -EINPROGRESS during tx power management validation
1b5b735f311f serial: core: Fix checks for tx runtime PM state
dee98a75d75c Revert "serial-core: disable power managment for serial tx"
(From OE-Core rev: 4c9a85ed1d69e55963cd77122e5c869b30f3dbe4)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
